On Sun, 10 Jun 2007, Crispin Cowan wrote:exactly. say that we give each file a unique label, and for simplicity we set the label == path (note that this raises the issue, what will SELinux do when there are multiple paths to the same file) now say that you want to grant apache access to all files that have labels that follow the pattern '/home/*/http/* ? you are either going to use regex matching, or you are going to have to enumerate every label that matches this (potentially a very large list). and if you try to generate the enumerated list you need to add a label to the list if a file is renamed or created to match the pattern, and delete a file from the list if it is renamed to no longer match the pattern AA as-is needs to figure out how to deal with bind-mounts, and how to handle hardlink creation in a more ganular manner (and potentially other resources like network sockets), but it's useful now even without these improvements AA over SELinux would need for SELinux to figure out how to handle file creation, file renames, and multiple paths for the same file (hard-links and bind-mounts). In addition a userspace daemon would have to be written to re-label files and/or change policy on the fly as files are renamed. the result would still have race conditions due to the need to re-label large numbers of files ACPI should have taught everyone that sometimes putting an interpreter in the kernel really is the best option. looking at the problems of bouncing back out to userspace for file creation and renames it looks like a regex in the kernel is a lot safer and more reliable. David Lang -
